Analyzing important factors in cybersecurity incidents using table-top exercise

Abstract: In recent years, the threat of cyber-attacks has been increasing yearly. Various organizations should take countermeasures for it. In the face of increasing threats, organizations need to take not only technical measures but also human countermeasures. However, cyber-attacks themselves are becoming more sophisticated, so it is important for organizations to prepare countermeasures and organizational structures based on the assumption that incidents due to cyber-attacks will occur. Moreover organizations are required to minimize the damage caused by cyber-attack incidents and continue their business operations.This study focused on human countermeasures especially organizational structures, designed an incident response exercise, and conducted it with approximately 60 members of a critical infrastructure company in Japan. Based on the records of the exercise and the results of the post-exercise questionnaire, these results examine organizational and human barriers that organizations may face in incident response and the organizational structure that minimizes the damage from incidents. The incident response exercise was based on a scenario in which a hypothetical local infrastructure company was infected with ransomware and could not fulfill its role as a local infrastructure. The roles of management, IT department, and upper-level managers and personnel in the field departments were defined, and how incident response would be conducted from each position was examined. The exercise was recorded chronologically using the chronology used in disaster recovery, and the instructions given by whom and to whom were organized in chronological order so that the participants could look back on the details of their responses after the exercise. A questionnaire survey was conducted after the exercise, and the exercise itself received a high evaluation, with an average score of 4 or higher out of 5. In addition, information on important items in incident response, including changes before and after the exercise, was collected through free-response statements. Context-based evaluation and analysis of the collected results revealed what members of the Japanese critical infrastructure community consider important in incident response. Furthermore, from the contents recorded in chronology during the exercise, the process of escalation and decision-making to management and upper management was analyzed to identify barriers such as delays in reporting and decision-making that may lead to the expansion of incident damage. In addition, based on the results of these analyses, we will deepen our thinking and make recommendations on the organizational structure and transfer of authority for rapid incident response.

Keywords: Cybersecurity, Incident Response, Human Factor Countermeasures, Resilience, Table Top Exercise

DOI: 10.54941/ahfe1004770

Cite this paper:

​